Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12809

CVE-2026-12809: Edimax BR-6478AC V2 RCE Vulnerability

CVE-2026-12809 is a command injection flaw in Edimax BR-6478AC V2 routers that enables remote code execution through the wiz_5in1_redirect function. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2026-12809 Overview

CVE-2026-12809 is a command injection vulnerability affecting Edimax BR-6478AC V2 firmware version 1.23. The flaw resides in the wiz_5in1_redirect function within /goform/wiz_5in1_redirect, which is reachable through the POST request handler. Attackers manipulate the newpass argument to inject operating system commands that the device executes. The vulnerability is remotely exploitable and requires low-level privileges on the target device. According to the CVE record, a public exploit exists and the vendor did not respond to disclosure attempts. The issue is classified under CWE-74 for improper neutralization of special elements in output.

Critical Impact

Authenticated remote attackers can inject arbitrary operating system commands into the router through a crafted POST request, potentially gaining control over network traffic traversing the affected device.

Affected Products

  • Edimax BR-6478AC V2 router
  • Firmware version 1.23
  • wiz_5in1_redirect endpoint within /goform/wiz_5in1_redirect

Discovery Timeline

  • 2026-06-21 - CVE-2026-12809 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-12809

Vulnerability Analysis

The vulnerability is a command injection flaw [CWE-74] in the web management interface of the Edimax BR-6478AC V2 router. The wiz_5in1_redirect handler processes POST data submitted through /goform/wiz_5in1_redirect as part of the device's setup wizard workflow. The newpass parameter, intended to receive a password string, is passed to a system command without proper neutralization of shell metacharacters. An attacker who can reach the device's web interface and provide low-privilege credentials can append shell operators such as ;, |, or backticks to the parameter value, causing the router's underlying operating system to execute attacker-supplied commands.

Root Cause

The root cause is improper input neutralization within the wiz_5in1_redirect function. User-controlled data from the newpass POST parameter flows into a shell execution context — likely through a system() or equivalent call — without sanitization or argument escaping. This pattern matches the broader [CWE-74] injection class, where data and code share a parsing channel.

Attack Vector

Exploitation requires network access to the router's HTTP management interface and authenticated session privileges. The attacker submits a crafted POST request to /goform/wiz_5in1_redirect with a newpass value containing shell separators followed by arbitrary commands. The device executes those commands with the privileges of the web server process, which on consumer routers typically runs as root. A public proof of concept is referenced in the Notion Security Overview and the VulDB CVE-2026-12809 entry. Detailed exploitation code is described in those references; readers should consult them for technical specifics rather than synthetic reproductions.

Detection Methods for CVE-2026-12809

Indicators of Compromise

  • POST requests to /goform/wiz_5in1_redirect containing shell metacharacters such as ;, |, &, $(), or backticks within the newpass parameter.
  • Outbound connections from the router to unexpected hosts following administrative interface access.
  • Unexpected changes to router configuration, DNS settings, or firmware following access to the setup wizard endpoint.

Detection Strategies

  • Inspect HTTP request bodies destined for the router's management interface for non-printable or shell-syntax characters in password fields.
  • Compare baseline router behavior with current behavior: new listening ports, modified DNS entries, or unexpected processes indicate compromise.
  • Apply the EPSS exploitation probability data from VulDB and the public PoC availability when prioritizing this CVE in vulnerability management workflows.

Monitoring Recommendations

  • Log all POST requests to /goform/ paths on Edimax devices when network captures are available.
  • Alert on traffic patterns where consumer routers initiate connections to internet hosts not associated with vendor update or NTP services.
  • Monitor DHCP and DNS logs on adjacent infrastructure for clients receiving altered configurations from the affected router.

How to Mitigate CVE-2026-12809

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted internal hosts only and disable remote WAN-side administration.
  • Rotate administrative credentials on the BR-6478AC V2 to limit the pool of accounts that could supply the low-privilege session needed for exploitation.
  • Inventory networks for Edimax BR-6478AC V2 devices running firmware 1.23 and isolate them on segmented VLANs pending replacement.

Patch Information

No vendor patch is referenced in the CVE record. According to the disclosure, the vendor was contacted early but did not respond. Organizations should track the VulDB Vulnerability #372603 entry for updates and consult the VulDB CTI Report #372603 for additional context.

Workarounds

  • Disable the setup wizard interface where the device configuration permits, removing the wiz_5in1_redirect handler from the exposed attack surface.
  • Place the router behind an upstream firewall that blocks unauthenticated and authenticated HTTP traffic from untrusted segments to the management interface.
  • Replace end-of-support or unresponsive-vendor hardware with currently supported equivalents when no patch timeline exists.
bash
# Configuration example: restrict management interface access at the upstream firewall
# Replace 192.0.2.10 with the trusted administrator host and 198.51.100.1 with the router IP
iptables -A FORWARD -s 192.0.2.10 -d 198.51.100.1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 198.51.100.1 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 198.51.100.1 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.