Skip to main content

Edimax BR-6428NS CVE-2026-8775

| EUVDEUVD-2026-30721 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-18 VulDB GHSA-72qw-jfp3-cf43
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 18, 2026 - 02:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 18, 2026 - 02:22 vuln.today
cvss_changed
CVSS changed
May 18, 2026 - 02:22 NVD
8.8 (HIGH) 7.4 (HIGH)
Analysis Generated
May 18, 2026 - 01:43 vuln.today

DescriptionCVE.org

A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TPUserName causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.

Technical ContextAI

The Edimax BR-6428NS is a consumer-grade SOHO wireless router whose web management interface exposes /goform/* CGI endpoints typical of Realtek-based SDK firmware. The vulnerable handler formL2TPSetup processes POST parameters used to configure L2TP VPN client settings; the L2TPUserName argument is copied into a fixed-size stack buffer without proper bounds checking, matching CWE-120 (Classic Buffer Overflow / unbounded copy of input to buffer). Because embedded MIPS/ARM router firmware of this generation typically lacks modern mitigations such as stack canaries, ASLR, and non-executable stacks, such overflows commonly translate into reliable control-flow hijack or at minimum a denial-of-service crash of the httpd daemon.

RemediationAI

No vendor-released patch identified at time of analysis, as Edimax did not respond to the VulDB disclosure attempt. Operators should treat the BR-6428NS 1.10 as end-of-support and replace it with a currently maintained router; if immediate replacement is not feasible, restrict access to the web management interface by disabling WAN-side administration entirely, binding the admin httpd to the LAN interface only, and placing the device behind an upstream firewall that blocks inbound TCP to its HTTP/HTTPS admin ports. Additionally, change default credentials to a strong unique password to raise the bar for the PR:L authentication requirement, disable L2TP/VPN client functionality if unused so the formL2TPSetup endpoint is not exercised, and monitor the device for unexpected reboots indicative of crash-based probing. The trade-off of disabling remote admin is the loss of off-LAN management convenience; replacement remains the only durable remediation given vendor inactivity. Reference advisories: https://vuldb.com/vuln/364400 and the public PoC at https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formL2TPSetup-34b53a41781f8046b38bffcc190c5277.

Share

CVE-2026-8775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy