Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TPUserName causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.
Technical ContextAI
The Edimax BR-6428NS is a consumer-grade SOHO wireless router whose web management interface exposes /goform/* CGI endpoints typical of Realtek-based SDK firmware. The vulnerable handler formL2TPSetup processes POST parameters used to configure L2TP VPN client settings; the L2TPUserName argument is copied into a fixed-size stack buffer without proper bounds checking, matching CWE-120 (Classic Buffer Overflow / unbounded copy of input to buffer). Because embedded MIPS/ARM router firmware of this generation typically lacks modern mitigations such as stack canaries, ASLR, and non-executable stacks, such overflows commonly translate into reliable control-flow hijack or at minimum a denial-of-service crash of the httpd daemon.
RemediationAI
No vendor-released patch identified at time of analysis, as Edimax did not respond to the VulDB disclosure attempt. Operators should treat the BR-6428NS 1.10 as end-of-support and replace it with a currently maintained router; if immediate replacement is not feasible, restrict access to the web management interface by disabling WAN-side administration entirely, binding the admin httpd to the LAN interface only, and placing the device behind an upstream firewall that blocks inbound TCP to its HTTP/HTTPS admin ports. Additionally, change default credentials to a strong unique password to raise the bar for the PR:L authentication requirement, disable L2TP/VPN client functionality if unused so the formL2TPSetup endpoint is not exercised, and monitor the device for unexpected reboots indicative of crash-based probing. The trade-off of disabling remote admin is the loss of off-LAN management convenience; replacement remains the only durable remediation given vendor inactivity. Reference advisories: https://vuldb.com/vuln/364400 and the public PoC at https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formL2TPSetup-34b53a41781f8046b38bffcc190c5277.
Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt me
Buffer overflow in the Edimax BR-6428NS 1.10 router's web management interface allows authenticated remote attackers to
Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memo
Command injection in the Edimax BR-6428NS 1.10 wireless router's web management interface allows a remotely authenticate
Command injection in Edimax BR-6428NS firmware version 1.10 exposes the device's operating system to remote command exec
Command injection in Edimax BR-6428NS firmware v1.10 allows authenticated remote attackers to execute arbitrary system c
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30721
GHSA-72qw-jfp3-cf43