Edimax BR-6208AC CVE-2025-14910
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models." This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Path traversal in the FTP daemon service of Edimax BR-6208AC firmware version 1.02 allows authenticated remote attackers to access files outside the intended FTP directory via crafted FTP commands to the handle_retr function. The device is discontinued and unsupported; exploit code is publicly available. While CVSS score is low (2.1) and EPSS indicates minimal exploitation likelihood (0.12%), the vulnerability is real for the small population still using this legacy hardware.
Technical ContextAI
The Edimax BR-6208AC is a dual-band wireless router with an integrated FTP daemon service. The vulnerability exists in the FTP daemon's handle_retr function, which processes file retrieval requests. The flaw stems from improper input validation of FTP RETR (retrieve) commands, allowing path traversal sequences (such as '../../') to escape the configured FTP root directory. CWE-22 (Path Traversal) occurs because the daemon fails to canonicalize or validate file paths before accessing the filesystem. This is a classic FTP implementation flaw where user-supplied paths are not properly sanitized against directory escape attempts.
RemediationAI
No patched firmware is available from Edimax, as the product line is end-of-life and unsupported. The vendor's official recommendation is to disable the FTP service on the device, which eliminates the attack surface while preserving other router functionality (wireless access, DHCP, routing). To disable FTP: access the router's web administration interface (typically at http://192.168.0.1), navigate to Services or Advanced settings, locate the FTP Daemon option, and disable or turn off the service, then save settings. For organizations unable to retire the device immediately, restrict FTP access via network firewalls by blocking TCP port 21 to the router, or disable FTP user accounts if FTP functionality is not required. Users with active FTP dependencies should prioritize upgrading to a newer, vendor-supported Edimax router model, as Edimax has committed to security advisories and patches for current product lines.
Share
External POC / Exploit Code
Leaving vuln.today