Skip to main content
CVE Vulnerability Database

CVE-2026-9402: Edimax BR-6675nD Router RCE Vulnerability

CVE-2026-9402 is a remote code execution vulnerability in Edimax BR-6675nD routers affecting the formWlanMP function. Attackers can exploit command injection via POST requests. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-9402 Overview

CVE-2026-9402 is a command injection vulnerability [CWE-74] in the Edimax BR-6675nD wireless router running firmware version 1.12. The flaw resides in the formWlanMP function within /goform/formWlanMP, which handles POST requests for wireless test and calibration parameters. Attackers can inject operating system commands through more than two dozen unsanitized parameters, including ateFunc, ateGain, ateRate, ateChan, ateMode, ateMacID, and multiple e2pTxPower fields. The exploit code is publicly available. The vendor did not respond to disclosure attempts, leaving deployed devices without an official patch.

Critical Impact

Authenticated remote attackers can execute arbitrary operating system commands on affected Edimax BR-6675nD routers, enabling persistent device compromise and pivot into adjacent network segments.

Affected Products

  • Edimax BR-6675nD wireless router
  • Firmware version 1.12
  • formWlanMP POST request handler in /goform/formWlanMP

Discovery Timeline

  • 2026-05-24 - CVE-2026-9402 published to the National Vulnerability Database
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9402

Vulnerability Analysis

The vulnerability exists in the formWlanMP handler, a CGI-style endpoint used for wireless manufacturing test and calibration operations. The handler accepts more than 25 POST parameters and passes their values into shell command construction without sanitization or argument escaping. Any user able to reach the web management interface and submit a crafted POST request to /goform/formWlanMP can append shell metacharacters to inject arbitrary commands.

The affected parameters cover ATE (Automated Test Equipment) controls such as ateFunc, ateRate, ateChan, ateTxCount, ateBW, ateAntenna, and ateTxFreqOffset, alongside EEPROM transmit power calibration fields e2pTxPower1 through e2pTxPower7 and the corresponding e2pTx2Power variants. Each unfiltered parameter provides an independent injection sink, broadening the attack surface and making input-allowlist mitigations difficult to enforce.

The EPSS score for this vulnerability is 1.058% with a 77.9 percentile ranking, indicating elevated exploitation likelihood relative to most published CVEs.

Root Cause

The root cause is improper neutralization of special elements used in OS commands [CWE-74]. The formWlanMP function concatenates attacker-controlled POST values into shell invocations used to drive wireless test routines, without validating character sets or escaping metacharacters such as ;, |, &, and backticks.

Attack Vector

The attack is network-accessible and requires low privileges. An attacker authenticated to the router web interface sends a single POST request to /goform/formWlanMP containing a malicious value in any of the affected parameters. The injected payload executes in the context of the web server process, typically running with elevated privileges on embedded Linux routers. Because exploitation requires only one HTTP request, it is suitable for botnet recruitment and worm-style propagation against exposed devices.

No verified proof-of-concept code is reproduced here. Refer to the Notion Document Analysis and VulDB Vulnerability #365383 for technical write-ups.

Detection Methods for CVE-2026-9402

Indicators of Compromise

  • POST requests to /goform/formWlanMP originating from untrusted networks or non-administrative source addresses.
  • Parameter values in ateFunc, ateRate, ateChan, or any e2pTxPower* field containing shell metacharacters such as ;, |, &, $(, or backticks.
  • Unexpected outbound connections from the router to attacker-controlled infrastructure following a formWlanMP request.
  • New or modified processes spawned by the embedded web server (typically httpd or goahead) shortly after HTTP activity.

Detection Strategies

  • Inspect HTTP request bodies destined for /goform/formWlanMP at the network perimeter and alert on non-alphanumeric values in test and calibration parameters.
  • Correlate router management-interface access logs with downstream firewall traffic to identify anomalous post-request egress.
  • Hunt for unauthenticated or brute-forced access patterns against the router web interface that precede formWlanMP activity.

Monitoring Recommendations

  • Forward router syslog and HTTP access logs to a centralized log platform and retain at least 90 days of history.
  • Alert on first-seen administrative logins from new geolocations or autonomous systems.
  • Monitor DNS and NetFlow telemetry for beaconing behavior originating from router management VLANs.

How to Mitigate CVE-2026-9402

Immediate Actions Required

  • Remove the router web management interface from any WAN-facing exposure and restrict access to a dedicated management VLAN.
  • Change default and weak administrative credentials, since exploitation requires authenticated access at minimum.
  • Treat affected BR-6675nD devices as end-of-support and plan replacement with a currently maintained model.
  • Place the device behind an upstream firewall that blocks POST requests to /goform/formWlanMP from untrusted sources.

Patch Information

No vendor patch is available. Per the disclosure record, Edimax was contacted but did not respond. Organizations should assume the vulnerability will remain unpatched on the BR-6675nD 1.12 firmware and prioritize compensating controls or device replacement. Track the VulDB Vulnerability #365383 entry for any future vendor updates.

Workarounds

  • Disable remote management and restrict the web interface to a single hardened administrative host.
  • Enforce strict access control lists on upstream routers or firewalls to block traffic to /goform/formWlanMP.
  • Segment the router from sensitive internal assets so a compromise does not yield lateral movement into production networks.
  • Replace the device with a vendor-supported wireless router that receives regular security updates.
bash
# Example upstream firewall rule (iptables) to block external access
# to the vulnerable endpoint on the router management IP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 80 \
  -m string --algo bm --string "/goform/formWlanMP" -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 443 \
  -m string --algo bm --string "/goform/formWlanMP" -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.