CVE-2026-9439 Overview
CVE-2026-9439 is a command injection vulnerability in the Edimax BR-6675nD router running firmware version 1.12. The flaw resides in the stainfo function reachable through the /goform/stainfo endpoint. Attackers manipulate the interface argument to inject operating system commands. The exploit can be triggered remotely over the network and requires only low privileges. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse. According to public reporting, the vendor was contacted but did not respond to the disclosure, leaving affected devices without an official fix.
Critical Impact
Remote authenticated attackers can inject arbitrary operating system commands through the interface parameter of /goform/stainfo, enabling command execution on the router with no vendor patch available.
Affected Products
- Edimax BR-6675nD router
- Firmware version 1.12
- stainfo handler in /goform/stainfo
Discovery Timeline
- 2026-05-25 - CVE-2026-9439 published to the National Vulnerability Database
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9439
Vulnerability Analysis
The vulnerability is classified as command injection under [CWE-74], improper neutralization of special elements in output used by a downstream component. The stainfo function in the /goform/stainfo web handler accepts an interface argument from the HTTP request and passes it to a shell context without adequate sanitization. An attacker who can reach the router web interface and supply the parameter triggers command execution in the context of the embedded web server, typically running with elevated privileges on consumer-grade routers. Public disclosure of the exploit details on third-party tracking sites raises the operational risk for exposed devices. Because no vendor response was recorded, defenders must assume the issue will remain unpatched on production firmware.
Root Cause
The root cause is the direct use of attacker-controlled input in a system command invocation inside the stainfo handler. The interface argument is concatenated into a shell command string without input validation, allow-listing, or argument escaping. Shell metacharacters such as ;, |, and backticks pass through to the underlying shell.
Attack Vector
The attack vector is network-based. The attacker sends a crafted HTTP request to /goform/stainfo containing a malicious interface parameter. The injected payload executes when the handler builds and runs the shell command. Low-privileged authentication is required, which on consumer routers is often satisfied by default or weak credentials. Refer to the Edimax BR-6675nD stainfo write-up and the VulDB entry #365420 for parameter details and request structure.
Detection Methods for CVE-2026-9439
Indicators of Compromise
- HTTP requests to /goform/stainfo containing shell metacharacters such as ;, |, &&, $(), or backticks in the interface parameter
- Unexpected outbound connections from the router to attacker-controlled infrastructure following web requests to /goform/stainfo
- New or modified processes spawned by the router web server outside its normal binary set
- Configuration changes to DNS, firewall, or routing tables not initiated by an administrator
Detection Strategies
- Inspect web server access logs on the router or upstream proxy for requests to /goform/stainfo with non-alphanumeric values in the interface parameter
- Deploy network signatures that flag HTTP POST or GET requests containing command injection patterns directed at /goform/
- Correlate router management-plane traffic with subsequent outbound connections to identify post-exploitation callbacks
Monitoring Recommendations
- Restrict and monitor administrative access to router web interfaces from untrusted network segments
- Capture and retain HTTP request logs from the router perimeter for forensic review
- Alert on any external source attempting to authenticate to the router management interface
How to Mitigate CVE-2026-9439
Immediate Actions Required
- Disable remote management on the BR-6675nD and block WAN-side access to /goform/stainfo
- Restrict LAN access to the router administrative interface to a dedicated management VLAN or trusted hosts only
- Rotate router credentials and disable any default or shared accounts to raise the bar for the required low-privilege authentication
- Plan migration off the BR-6675nD given the absence of a vendor response and patch
Patch Information
No vendor patch is available. According to the public disclosure, Edimax was contacted but did not respond. Organizations should treat this device as end-of-support for this issue and prioritize replacement with a currently supported router platform.
Workarounds
- Place the router behind an upstream firewall that drops inbound HTTP and HTTPS traffic to its management interface
- Use a web application filter or reverse proxy to block requests containing shell metacharacters in query or body parameters targeting /goform/
- Segment IoT and network infrastructure devices from user and server networks to limit lateral movement after compromise
- Monitor for and replace the affected firmware version 1.12 with a supported alternative router
# Example upstream firewall rule to block WAN access to the vulnerable endpoint
iptables -I FORWARD -p tcp --dport 80 -d <router_ip> \
-m string --string "/goform/stainfo" --algo bm -j DROP
iptables -I FORWARD -p tcp --dport 443 -d <router_ip> \
-m string --string "/goform/stainfo" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
