CVE-2026-9423 Overview
CVE-2026-9423 is a command injection vulnerability affecting Edimax BR-6675nD firmware version 1.12. The flaw resides in the mp function within the /goform/mp endpoint, which is part of the device's POST request handler. An authenticated attacker can manipulate the command argument to inject operating system commands that execute in the context of the router's web service. The attack is reachable over the network. According to the disclosure, the exploit has been released publicly. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Remote attackers with valid credentials can inject arbitrary commands through the /goform/mp endpoint on Edimax BR-6675nD 1.12 routers, with public exploit code available and no vendor patch released.
Affected Products
- Edimax BR-6675nD firmware version 1.12
- Component: POST Request Handler (/goform/mp)
- Vulnerable function: mp
Discovery Timeline
- 2026-05-25 - CVE-2026-9423 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9423
Vulnerability Analysis
The vulnerability is classified under [CWE-74] as improper neutralization of special elements in output used by a downstream component. The mp handler at /goform/mp processes POST parameters from authenticated users and passes the command argument to a system-level execution routine without sanitization. An attacker who submits crafted shell metacharacters within the command parameter can break out of the intended command context and execute arbitrary OS commands on the router. Successful exploitation yields code execution on the embedded Linux platform with the privileges of the web service, which on consumer routers typically runs as root. The attack vector is network-based and requires high privileges, but public exploit code lowers the barrier for opportunistic abuse against exposed management interfaces.
Root Cause
The root cause is missing input validation and command sanitization in the mp function before the command parameter is concatenated into a shell invocation. The handler trusts authenticated input and does not filter shell metacharacters such as ;, |, &, or backticks.
Attack Vector
Exploitation requires an authenticated session against the device's HTTP administration interface. The attacker sends a crafted POST request to /goform/mp containing a manipulated command argument. The shell metacharacters embedded in the parameter cause the router to execute injected commands alongside the intended action. No verified proof-of-concept code is included here; refer to the Notion technical writeup and the VulDB Vulnerability Report for reproduction details.
Detection Methods for CVE-2026-9423
Indicators of Compromise
- POST requests to /goform/mp containing shell metacharacters (;, |, &, `, $()) within the command parameter.
- Unexpected outbound connections originating from the router to attacker-controlled infrastructure.
- New or modified processes on the device that are not part of the stock firmware footprint.
Detection Strategies
- Inspect HTTP request logs on upstream proxies or network sensors for POSTs to /goform/mp containing suspicious characters in body parameters.
- Deploy network IDS signatures that flag command-injection payloads targeting Edimax administration endpoints.
- Monitor management interfaces for authentication followed by anomalous request patterns to legacy goform handlers.
Monitoring Recommendations
- Restrict and log all access to router administration interfaces, alerting on logins from non-administrative source ranges.
- Capture and review DNS and NetFlow telemetry from network infrastructure devices for beaconing behavior.
- Track firmware version inventory and flag any BR-6675nD 1.12 devices that remain exposed to untrusted networks.
How to Mitigate CVE-2026-9423
Immediate Actions Required
- Remove the BR-6675nD 1.12 management interface from any internet-facing exposure and restrict it to trusted administrative VLANs.
- Rotate administrative credentials and disable any shared or default accounts on affected routers.
- Treat the device as end-of-support given the vendor's lack of response, and plan replacement with a maintained platform.
Patch Information
No vendor patch is available. The disclosure notes that Edimax was contacted but did not respond. Organizations should not expect a fix and should prioritize compensating controls or device replacement.
Workarounds
- Place the router behind an upstream firewall that blocks inbound HTTP/HTTPS to the management interface.
- Disable remote administration features and restrict management access to wired LAN clients only.
- Apply network segmentation so that any compromise of the device cannot pivot into sensitive internal segments.
- Replace the affected hardware with a vendor-supported router that receives security updates.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
